CVE-2011-1526
Summary
| CVE | CVE-2011-1526 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2011-07-11 20:55:01 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
SingleConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:S/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 5.0 | All | All | All |
| Operating System | Debian | Debian Linux | 6.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 14 | All | All | All |
| Operating System | Fedoraproject | Fedora | 15 | All | All | All |
| Application | Mit | Krb5-appl | All | All | All | All |
| Operating System | Opensuse | Opensuse | 11.3 | All | All | All |
| Operating System | Opensuse | Opensuse | 11.4 | All | All | All |
| Operating System | Suse | Linux Enterprise Desktop | 10 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Desktop | 11 | sp1 | All | All |
| Operating System | Suse | Linux Enterprise Server | 10 | sp2 | All | All |
| Operating System | Suse | Linux Enterprise Server | 10 | sp3 | All | All |
| Operating System | Suse | Linux Enterprise Server | 10 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp1 | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp1 | All | All |
| Operating System | Suse | Linux Enterprise Software Development Kit | 10 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Software Development Kit | 11 | sp1 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [security-announce] openSUSE-SU-2012:0051-1: important: krb5-appl: Fixed | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| [security-announce] openSUSE-SU-2012:0019-1: important: krb5-appl: Fixed | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| MIT Kerberos krb5-appl FTP Daemon EGID Remote Privilege Escalation Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Patch, Third Party Advisory, VDB Entry |
| [security-announce] SUSE-SU-2012:0042-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Support / Security / Advisories / / MDVSA-2011:117 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | Third Party Advisory |
| [SECURITY] Fedora 14 Update: krb5-appl-1.0.1-4.fc14 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Third Party Advisory |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-2283-1 krb5-appl | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| FTP daemon fails to set effective group ID - CXSecurity.com | af854a3a-2127-422b-91ae-364da2661108 | securityreason.com | Third Party Advisory |
| Security Advisory SA48101 - Red Hat update for krb5 - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Third Party Advisory |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| 711419 – (CVE-2011-1526) CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005) | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| Red Hat update for krb5-appl - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Third Party Advisory |
| [security-announce] SUSE-SU-2012:0010-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| [security-announce] openSUSE-SU-2011:1169-1: important: krb5: fixed kdc | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| [security-announce] SUSE-SU-2012:0050-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Kerberos Applications GSS-API FTP Daemon Effective Group ID Privileges Security Issue - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Third Party Advisory |
| www.osvdb.org/73617 | af854a3a-2127-422b-91ae-364da2661108 | www.osvdb.org | Broken Link |
| [security-announce] SUSE-SU-2012:0018-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Support | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 15 Update: krb5-appl-1.0.1-7.fc15 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Third Party Advisory |
| web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt | af854a3a-2127-422b-91ae-364da2661108 | web.mit.edu | Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.